"NT Authority" mapping failures
Jeremy Allison
jra at samba.org
Tue Nov 27 17:31:40 UTC 2018
On Tue, Nov 27, 2018 at 06:26:42PM +0100, Ralph Böhme wrote:
> Hi Jeremy,
>
> I came across this ancient gem: :)
>
> 0492effcf36bc1229d0d2e9250b6c6c36af0b117
>
> By chance, do you remember the reasoning for ignoring mapping failures with
> these two domain?
Historically we didn't map Creator_Owner_Domain to a valid uid
(as it should have gotten changed to the creator uid/gid).
> I'm asking because I just stumbled across that currently mapping users and
> groups from "NT Authority" fails. I discovered this (though I fainlty
> remember I ran into this before) when modifying CI to run raw.acls tests
> against the enhanced vfs_nfs4acl_xattr module.
>
> Most test failed because lookupname "NT Authority/Authenticated Users" isn't
> working. I have a WIP patch to fix this (attached) and while poking around I
> came across the above commit that paves above such mapping failures in the
> posix_acls.c code.
>
> Thoughts? :)
It's the conversion of SID->uid/gid for meta-sids that have no POSIX
meaning that I was avoiding here.
Didn't want the POSIX ACL set to fail if it couldn't convert
a SID->uid/gid for an ACE entry that couldn't be represented
in a POSIX ACE entry.
No reason winbindd shouldn't handle them, so long as it doing
so doesn't break the conversion of Windows ACL -> POSIX ACL.
That's what I remember :-).
Jeremy.
> --
> Ralph Boehme, Samba Team https://samba.org/
> Samba Developer, SerNet GmbH https://sernet.de/en/samba/
> GPG-Fingerprint FAE2C6088A24252051C559E4AA1E9B7126399E46
> From f4663336ad11e8507ec771f91d0820fbebc91ab2 Mon Sep 17 00:00:00 2001
> From: Ralph Boehme <slow at samba.org>
> Date: Tue, 27 Nov 2018 17:05:58 +0100
> Subject: [PATCH] WIP: winbindd: handle "NT Authority"
>
> Without this:
>
> $ bin/wbinfo -n "NT Authority/Authenticated Users"
> failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND
> Could not lookup name NT Authority/Authenticated Users
>
> $ bin/wbinfo --group-info="NT Authority/Authenticated Users"
> failed to call wbcGetgrnam: WBC_ERR_DOMAIN_NOT_FOUND
> Could not get info for group NT Authority/Authenticated Users
>
> With the patch:
>
> $ bin/wbinfo -n "NT Authority/Authenticated Users"
> S-1-5-11 SID_WKN_GROUP (5)
>
> $ bin/wbinfo --group-info="NT Authority/Authenticated Users"
> NT AUTHORITY/authenticated users:
> ---
> source3/winbindd/winbindd_util.c | 7 ++++---
> 1 file changed, 4 insertions(+), 3 deletions(-)
>
> diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c
> index 090a90574ce..e4af81ea868 100644
> --- a/source3/winbindd/winbindd_util.c
> +++ b/source3/winbindd/winbindd_util.c
> @@ -1516,11 +1516,12 @@ struct winbindd_domain *find_lookup_domain_from_sid(const struct dom_sid *sid)
> struct winbindd_domain *find_lookup_domain_from_name(const char *domain_name)
> {
> if ( strequal(domain_name, unix_users_domain_name() ) ||
> - strequal(domain_name, unix_groups_domain_name() ) )
> + strequal(domain_name, unix_groups_domain_name() ) ||
> + strequal(domain_name, "NT Authority"))
> {
> /*
> - * The "Unix User" and "Unix Group" domain our handled by
> - * passdb
> + * The "Unix User", "Unix Group" and "NT Authority" domains our
> + * handled by passdb
> */
> return find_domain_from_name_noinit( get_global_sam_name() );
> }
> --
> 2.17.2
>
More information about the samba-technical
mailing list